WSO2 Identity Server uses XACML (eXtensible Access Control Markup Language) as a tool for controlling access to applications. For more information on how XACML is used in WSO2 IS, see XACML Architecture.
The following are the two types of access control supported by XACML.
- Role-based access control: Role-based access control (RBAC) is an approach used to restrict access to authorized users based on their role. It is used by the majority of enterprises with more than 500 users. This is a static permission model where permission of the roles can be updated by updating permission in the permission tree of WSO2 Identity Server. This is a subset of ABAC.
- Attribute-based access control: Attribute-based access control (ABAC) defines a new access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. Policy Based access Controling is done by extending the ABAC model.
XACML is an XML-based language for access control that has been standardized by the Technical Committee of the OASIS consortium. XACML is very popular as a fine grained authorization method among the community. However, there are plenty of other aspects of XACML other than it being just a fine grained authorization mechanism.
Although XACML was introduced by OASIS way back in 2003, there are very few organisations that have adapted it. This is because most of the organizations have not shown an interest in moving towards a XACML solution for authorization. However, in the current day and age, things are changing and there are more organizations moving towards usage of XACML-based authorization systems.
For more information on XACML specifications and other related information, see the OASIS website.
To summarize, XACML describes both an access control policy language, request/response language and reference architecture. The policy language is used to express access control policies (who can do what when). The request/response language expresses queries about whether a particular access should be allowed (requests) and describes answers to those queries (responses). The following reference architecture proposes a standard for deployment of necessary software modules within an infrastructure to allow efficient enforcement of policies.